One thing I should have pointed out before is that libvirt doesn't have
support for the bridge helper yet. I hard coded the qemu options in the
domain XML to test this. I'm not sure if that would prevent this patch
from getting in or not.

On 03/12/2012 02:36 PM, Jamie Strandboge wrote:

On Mon, 2012-03-12 at 09:13 -0400, Corey Bryant wrote:

This patch provides AppArmor policy updates for the QEMU bridge helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network
bridge. For more details on the helper, please refer to:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
Signed-off-by: Corey Bryant<coreyb linux vnet ibm com>

I've not used the helper personally, but the policy makes sense overall
though. I do have a few questions:

+ capability setuid,
+ capability setgid,

I'm assuming these are needed because qemu-bridge-helper drops
privileges?

Yes, exactly.

+ capability setpcap,

Can you explain why this capability is needed by qemu-bridge-helper?

This is required to modify the bounding capability set. Here are the
calls the helper uses to modify capabilities: